Task Statement 4.3: Implement and maintain confidentiality of data andcommunications of the network.

📘AWS Certified Advanced Networking – Specialty

1. Why Secure DNS is Needed

DNS normally translates:

example.com → IP address

But traditional DNS:

Sends queries in plain text (unencrypted)
Can be intercepted or modified inside networks
Is vulnerable to DNS spoofing / cache poisoning

So in enterprise AWS architectures, DNS security focuses on:

Encrypting DNS traffic
Verifying DNS responses
Controlling DNS resolution paths
Logging and monitoring DNS queries

2. DNS Security Methods in AWS

AWS provides multiple mechanisms depending on architecture (public internet, hybrid networks, and VPCs).

3. DNSSEC (Domain Name System Security Extensions)

What DNSSEC Does

DNSSEC ensures:

DNS responses are authentic
Data has not been modified in transit

It uses cryptographic digital signatures.

How DNSSEC Works (Simple Flow)

DNS zone owner signs DNS records using a private key
Public key is published in DNS records
Resolver verifies response using cryptographic chain of trust

AWS Support for DNSSEC

Amazon Route 53 supports:

1. DNSSEC Signing (Authoritative Side)

Used for public hosted zones
Route 53 signs DNS records automatically
Prevents tampering of DNS responses

2. DNSSEC Validation (Resolver Side)

AWS Route 53 Resolver can validate DNSSEC signatures
Works for VPCs and hybrid DNS setups

Exam Key Points

DNSSEC = integrity + authenticity (NOT encryption)
Route 53 supports:
- Signing (authoritative DNS)
- Validation (resolver side)
Used for public DNS security

4. DNS Encryption Methods (Protecting DNS in Transit)

DNS encryption protects confidentiality by stopping packet inspection.

A. DNS over TLS (DoT)

What it is:

DNS queries are encrypted using TLS (port 853)

AWS usage:

Supported via Route 53 Resolver Inbound and Outbound Endpoints
Used in hybrid networks (on-premises ↔ AWS)

Flow:

On-prem DNS client → encrypted TLS tunnel → Route 53 Resolver endpoint → DNS resolution

B. DNS over HTTPS (DoH)

What it is:

DNS queries are sent over HTTPS (port 443)

AWS exam note:

AWS does NOT natively focus Route 53 Resolver on DoH like DoT
DoH is typically used by applications or third-party DNS services

Exam Key Points

DoT = AWS-supported in hybrid DNS (important exam topic)
DoH = less AWS-native in Advanced Networking context
Encryption = protects confidentiality of DNS queries

5. Route 53 Resolver (Core DNS Security Component)

Route 53 Resolver is central to secure DNS design in AWS.

A. Inbound Resolver Endpoint

Used when:

On-prem systems want to resolve AWS private domains

Security features:

Can enforce TLS encryption (DoT)
Controlled access via security groups

B. Outbound Resolver Endpoint

Used when:

AWS workloads need to resolve on-prem or external DNS

Security features:

Controlled forwarding rules
DNS query logging
Can route securely to corporate DNS

C. Resolver Rules

Used to:

Define where DNS queries go
Forward queries securely to specific DNS servers

Example use:

corp.internal → forward to on-prem DNS over endpoint

Exam Key Points

Resolver endpoints = secure hybrid DNS gateway
Inbound = on-prem → AWS
Outbound = AWS → on-prem
Rules control DNS forwarding paths

6. DNS Firewall (Route 53 Resolver DNS Firewall)

What it does

Blocks or allows DNS queries based on domain rules.

Security use cases:

Block malicious domains
Prevent access to unauthorized domains
Enforce enterprise DNS policies

How it works:

DNS query comes from VPC
Firewall checks domain against rule groups
Decision:
- Allow
- Block
- Alert

Exam Key Points:

DNS Firewall = domain-level traffic control
Works at DNS resolution layer (not IP layer)
Used for outbound traffic protection

7. Route 53 Resolver Query Logging

Purpose:

Records DNS queries for:

Security auditing
Threat detection
Compliance requirements

Logs can be sent to:

Amazon CloudWatch Logs
Amazon S3

Exam Key Points:

Helps detect suspicious DNS activity
Works with Resolver endpoints
Supports compliance monitoring

8. VPC DNS Security Controls

Each VPC has built-in DNS settings:

A. enableDnsSupport

Enables DNS resolution in VPC

B. enableDnsHostnames

Assigns DNS hostnames to instances

Why it matters:

Without these:

Private DNS resolution may fail
Hybrid DNS integration may break

9. Private Hosted Zones (Route 53)

What it is:

A DNS zone accessible only inside VPCs.

Security benefit:

Internal DNS names are not exposed to internet
Reduces DNS exposure risk

Example usage:

db.internal.company resolves only inside AWS network

10. Secure DNS Architecture (Exam Scenario Understanding)

A secure AWS DNS design typically includes:

Route 53 Private Hosted Zones for internal services
DNSSEC for public domain integrity
Route 53 Resolver endpoints for hybrid DNS
DNS over TLS for encrypted query transport
DNS Firewall for domain filtering
Query logging for monitoring and compliance

11. Common Exam Traps

1. DNSSEC vs Encryption

DNSSEC = integrity/authentication
Does NOT encrypt DNS traffic

2. Resolver vs Route 53 Hosted Zone

Hosted Zone = authoritative DNS
Resolver = DNS query handling and forwarding

3. Security Group Role

Controls access to Resolver endpoints

4. DNS Firewall scope

Works at domain resolution level, not IP filtering

12. Quick Exam Summary

To secure DNS communications in AWS, you use:

DNSSEC → ensures DNS authenticity and integrity
DNS over TLS (DoT) → encrypts DNS queries in hybrid environments
Route 53 Resolver endpoints → secure DNS forwarding between on-prem and AWS
DNS Firewall → blocks malicious or unwanted domains
Query logging → monitors DNS activity
Private Hosted Zones → isolates internal DNS names